CUSTOMER CHALLENGE
A major financial services and banking organization recognized the need for better security practices and insight into their own applications, driven in part by expectations that there would be further diligence required by incoming regulation. With this in mind, the customer had established a Center of Excellence that could better translate and manage its response to security mandates from both internal and external sources. The workload was staggering, and simple and automated tools were necessary to handle the enormous number of applications under examination.
SOLUTION & RESULTS
In this case the Center of Excellence had three major areas of interest in their results, ranging from the requirements to report to auditors and examiners on application security, internal requirements to assess security and risk in critical applications, and the requirement to equip and educate the development community with information about application security and vulnerability. The solution required the assessment of delivered and existing applications.
This organization had begun adoption of application source assessment tools in 2004 with a non-Ounce developer-focused tool. The customer recognized that they needed a means of making the security criteria consistent across multiple developers and developers group. They also needed a system that could gather the assessment information centrally and automatically created the outputs necessary for auditors and management reporting
The Center of Excellence was already staffed with individuals familiar with application security and with the process of assessment. Their implementation included centralized Ounce Cores, on which a set of rules were created for use by all of the developers and development groups. The implementation also included deep distribution of the Ounce unlimited developer plug-ins, which were fed information and guidance from both the center of excellence, and from internal application security experts and architects within the development groups. The team customized the existing SmartAudit reports to provide preconfigured reporting for a subset of their auditing criteria, and these reports were generated and distributed automatically according to a defined schedule.
The Ounce product suite enabled the core team of security practitioners within the Center of Excellence to enable a security system and process coonnecting all staff concerned with security. This leading financial services provider learned that application security is about more than just development although developers can play a critical role in its improvement. Through the use of the Ounce tools, centralization of control and consistent, automated reporting were a natural byproduct of this Center of Excellence's effort.
